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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (Known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Qi Does the draft guidance cover the relevant issues about the right 
of access? 


X Yes 
O No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 Does the draft guidance contain the right level of detail? 


QO Yes 
xX No 
O Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


More specific guidance is required in the section on “Can a request be made on behalf of 
someone” particularly at page 12 where it is stated that “/t is reasonable to assume that 
an attorney with authority to manage the property and affairs of an individual has the 
appropriate authority to make an SAR on their behalf.” Based on legal advice and our 
experience of dealing with such requests for health and social care records, I feel it needs 
to be clearer that the request is ‘on behalf of’ the patient/client and even with power of 
attorney it does not provide unfettered access to someone’s sensitive healthcare records. 
Any access provided should be limited to that information required to manage the 
individual’s affairs and be in their best interests. In the case of sensitive health and social 
care records, this may be determined by the relevant professional. 


In the section on ‘can we clarify the request’ surely the time period for responding does 
not start until we have the necessary information, clarification or context (see section on 
information contained in emails) to allow us to identify and locate the required 
information / records (as per FOI Act guidelines). There will be circumstances where the 
request simply cannot proceed without this clarification or context therefore the time limit 
must be paused / request put on hold? 


On page 14 (if a request mentions FOI), the 3™ bullet point should include.... (or 3 
months if the request is complex). 


‘Social Work data’ section makes specific reference to local authorities in Scotland 
however no reference is made to the circumstances in Northern Ireland where we have a 
joined up Health and Social Care system; including multidisciplinary teams contributing to 
the same record. 


Q3 Does the draft guidance contain enough examples? 


Yes 
xX No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Given the large volume of sensitive / special category information held by the NHS and 
the high number of SARs received as a result, I feel there could be more examples that 
reference health and social care records and associated issues around the release of such 
records, particularly within the 'Health Data Section' where the request is from a 3rd 
party (family member) or the records are more likely to contain 3rd party information 
(e.g. social services records). 


In connection with my comment at Question 2 (above) an example about a request for 
the health records of an adult who lacks capacity would be helpful under the section on 
“Can a request be made on behalf of someone”, making it clear that an attorney or 
personal representative does not have unfettered access but that any access provided 
must be in the data subject’s best interests and limited to what is required to meet to 
his/her needs. 


Some sector specific examples of ‘complex’ requests (where the timeframe for 
responding can be extended) would be helpful. Suggestions for ‘complex’ requests within 
health and social care could be: 


e Significant amount of third party personal data 

e Large amount of redaction required prior to release of information 
e Large volume of notes held 

e Historical information rather than current information 

e Records that cross more than one discipline 

e Records held across systems or in different formats 

e Assessment as to capacity under the Mental Capacity Act required 


It could also be made clear in the guidance that resource issues such as staff availability, 
time and conflicting priorities cannot be used to extend the response timeframe as these 
issues are not directly related to the request. 


Suggest an example regarding ‘verbal requests’ : e.g. a patient known to a service 
phones the hospital secretary and asks for a list of dates of attendance or a copy of a 
letter be sent to him / her to include with an application for benefits. It is ok to accept 
this verbal request and send such basic information to the known address, or provide this 
information verbally if there is no doubt about identity; however for more detailed or 
sensitive information or if you are not sure about the identity of the caller, a more formal 
request requiring proof of ID may be more appropriate to avoid a data breach. 


Page 37 - reference to exemption where “...it would have a damaging or detrimental 
effect on what you are doing” - perhaps include an example regarding HR processes such 
as a SAR made during an ongoing disciplinary process. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


A request for historical Social Care records which run to multiple volumes (e.g.20+ files) 
and often contain routine daily entries made over many years of care, often by 
professional staff who no longer work for the Trust / Authority. A more focused request, 
perhaps with the help of professional staff, would help the applicant to receive important 
and relevant information that would be of most help in providing a history of their care. 
This would also reduce the burden on public sector staff (social workers with a heavy 
caseload) having to photocopy, review and redact many files dating back over years. 


Requests for ‘all emails about me’. In a large organisation there will be thousands of 
email users with many emails sent on a daily basis. A employee may have sent, 
received, been copied into or been mentioned in emails which are not their personal 
information. More context will help identify relevant information, assisting the applicant 
and avoiding unnecessary work. 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
El O E] O 


Q6 Why have you given this score? 


I believe this guidance is well overdue and will be ‘very useful’ when finalized and issued. 


Q7 ~~ Towhat extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
L O E 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


At the bottom of page 18, should the word be ‘unreasonable’? 


Page 66 - Health data. It would be helpful if the reference to legislation that deals with 
requests for a deceased person’s records also made reference to the Common Law Duty 
of Confidential and indicated that any such access will be limited and does not provide 
unfettered access to a deceased patient’s confidential health records e.g. “....a third party 
may, in limited circumstances, be able to access relevant information....” 


Q9 Are you answering as: 


O 


O 
XJ 
O 


An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

An individual acting in a professional capacity 

On behalf of an organisation 

Other 


Please specify the name of your organisation: 


Western Health and Social Care Trust 


What sector are you from: 


Health and Social Care (Northern Ireland) 


Q10 How did you find out about this survey? 


XR OOdd 


a E ee Ned Mle Gs) 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


Thank you for taking the time to complete the survey 


